Restrict connection to RDS database based on IAM Role and RDS tag

Line Noise

3/24/24, 6:07 AM

G'day!

I have IAM Authentication turned on for my RDS databases.

I can successfully connect using an authorised role and am denied when using an unauthorised role.

However, I have a role that I would like to be able to connect to some databases but not others and I'd like to avoid having to list the databases explicitly in the IAM Policy.

The policy already restricts several rds:? Actions using a Condition clause that checks for the existence of a tag on the RDS Resource. So I thought I could try the same thing for the rds-db:connect Action:

          - Sid: DenyRDSLogin
            Action: 'rds-db:connect'
            Effect: Deny
            Resource: 'arn:aws:rds-db:*'
            Condition:
              StringEquals:
                'rds:db-tag/restricted-access':
                  - 'true'

But it doesn't work because, I assume, the Resource is arn:aws:rds-db:* which doesn't have any tags as it's not a "physical" resource.

Am I barking up the wrong tree?

Thanks!

101

0 + 0

amazon-web-services

amazon-rds

amazon-iam

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Restrict connection to RDS database based on IAM Role and RDS tag

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.